Microsoft Warns Of Widespread Phishing Attacks Using Open Redirects

Microsoft team has warned that it has been tracking a widespread credential-phishing campaign that relies on open redirector links, in email communications as a vector to simultaneously trick users into visiting malicious websites while effectively bypassing security software.

In a blog post, the Microsoft 365 Defender Threat Intelligence Team said “Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking.” The team added that “Doing so leads to a series of redirections – including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems – before taking the user to a fake sign-in page.” “This ultimately leads to credential compromise, which opens the user and their organization to other attacks,” the team said.

An open redirect is when a web application allows an HTTP parameter to contain a user-supplied URL that causes the HTTP request to be redirected to the referenced resource. The redirect links in email messages serve a vital tool to take recipients to third-party websites or track click rates and measure the success of sales and marketing campaigns. In this case, the same technique has been abused by adversaries to redirect such links to their own infrastructure and at the same time keeping the trusted domain in the full URL intact to evade analysis by anti-malware engines, even when users attempt to hover on links to check for any signs of suspicious content.

According to Microsoft, the messages in this particular campaign, according to the company, tend to follow a common pattern. They use a few generic subject lines in this manner:

• [Recipient username] 1 New Notification
• Report Status for [Recipient Domain Name] at [Date and Time]
• Zoom Meeting for [Recipient Domain Name] at [Date and Time]
• Status for [Recipient Domain Name] at [Date and Time]
• Password Notification for [Recipient Domain Name] at [Date and Time]
• [Recipient username] eNotification.

To give the attack a veneer of authenticity, clicking the specially-crafted links redirects the users to a malicious landing page that employs Google reCAPTCHA to block any dynamic scanning attempts. Upon completion of the CAPTCHA verification, the victims are displayed a fraudulent login page mimicking a known service like Microsoft Office 365 or Zoom, only to swipe their passwords upon submitting the information.

Microsoft says it has detected at least 350 unique phishing domains involved in this campaign to mislead unsuspecting victims. According to the Intelligence Team “This phishing campaign exemplifies the perfect storm of [social engineering, detection evasion, and a large attack infrastructure] in its attempt to steal credentials and ultimately infiltrate a network.” The team added, “Organizations must therefore have a security solution that will provide them multi-layered defense against these types of attacks, given that 91% of all cyber-attacks originate with email.”